NSA warns defense contractors to double check connections in light of Russian hacking

Written by

The National Security Agency warned defense contractors in a memo on Thursday to reexamine the security of the connections between their operational technology and information technology in light of recent alleged Russian hacking.

The alert, which references the sweeping SolarWinds espionage operation that U.S. officials have blamed on the Russian government, is meant to convince operational technology (OT) owners and operators in the defense industrial base to limit the scope and scale of any potential attack surface for U.S. adversaries to exploit, the NSA said in the alert.

“Each IT-OT connection increases the potential attack surface,” the NSA said. “To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”

The alert comes weeks after the Biden administration formally attributed the recent espionage campaign to hackers working for Russia’s Foreign Intelligence Service (SVR). The hackers, also known as APT29 or Cozy Bear, laced malicious code in a software update from federal contractor SolarWinds last year, according to the U.S. intelligence community. As a result of that operation, the Russian hackers hit U.S. federal agencies and private sector entities, including some OT and U.S. critical infrastructure, according to the Department of Homeland Security’s cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA).

Hundreds of electric utilities installed the tainted SolarWinds software, according to the North American power grid regulator, the North American Electric Reliability Corp. (NERC). Some organizations used the bad software in their OT networks, raising concerns about vulnerability in U.S. critical infrastructure and OT environments.

“A significant shift in how operational technologies (OT) are viewed, evaluated, and secured within the U.S. is needed to prevent malicious cyber actors (MCA) from executing successful, and potentially damaging, cyber effects,” the NSA said in the memo.

In a recognition that OT operators need to step up their game, the NSA urged OT owners and operators Thursday to reevaluate whether certain OT-IT connections are necessary or mission-critical, and whether they can disconnect them to reduce the risk that adversaries exploit them. 

“While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems,” the NSA said in the memo. “Seriously consider the risk, benefits, and cost before connecting (or continuing to connect) enterprise IT and OT networks.” 

The NSA Cybersecurity Director issued the alert as part of an ongoing effort to share more information with the public about specific threats from U.S. adversaries to better thwart their intelligence-gathering or more destructive campaigns.

Federal investigators have been issuing other alerts and memos to warn information security practitioners how best to fend off the Russian hackers for months now. Earlier this month the NSA, along with the FBI and CISA, issued a memo detailing the APT29 hackers’ tradecraft in an effort to stymie the attackers.